CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null

LOW | JUNE 19, 2019 | CVE-2019-11272

Description

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of “null”.

Affected Spring Products and Versions

  • Spring Security 4.2 to 4.2.12
  • Older unsupported versions are also affected
  • Note that Spring Security 5+ is not impacted by this vulnerability.

Mitigation

Users of affected versions should apply the following mitigation:

  • 4.2.x users should upgrade to 4.2.13
  • Older versions should upgrade to a supported branch

There are no other mitigation steps necessary.

Credit

This issue was identified and responsibly reported by Tim Büthe and Daniel Neagaru from mytaxi.

History

2019-06-19: Initial vulnerability report published

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all